You can use this function to determine which actions a user can execute for specific fields in a business transaction, such as a sales- or service order. You can for example, allow specific users to change the fields in a business transaction. It is therefore possible to allow only those employees with special authorization to change quantities retroactively after the sales order has been delivered.
In addition, you can use the authorization check not only for individual fields, but also for a business transaction component's entire table entry, such as order item, partner, and transaction history. This enables an advanced and targeted authorization check.
You can influence the following user actions (modes) by using the authorization check:
Create
Display
Change
Delete
The Create
and Delete
modes are only available when using the entire business transaction component. As a result, you cannot enter field names in the IMG activity Define Authorization Group
.
When you choose the Display
and Change
modes, you must specify a field name to which the action should relate.
Caution
You can hide fields for certain users by using the Display
mode for the appropriate field (see prerequisites) in the IMG activity Define Authorization Group
in Customizing. This is only supported by CRM E-Commerce.
You can find more information about the use of this function in CRM E-Commerce in the SAP Implementation Guide (IMG), under
.You have created an authorization with reference to authorization object CRM_FLDCHK, assigned this authorization to an authorization profile, and assigned this profile to the corresponding user.
Note
When you create the authorization with reference to the authorization object CRM_FLDCHK , you can only specify one value (whole number) for the Authorization Level
field. The authorization check cannot process ranges (for example, 1 –12) or multiple values (for example, 5,7,9).
You have defined authorization groups in Customizing and assigned fields to them. An authorization group is a type of field group, and consists of a collection of fields. You make the entries for this in Customizing for Customer Relationship Management
, under .
Note
For performance reasons, you should determine the rules for the authorization check carefully. Only use the asterisk value (*, = all transaction types) in the IMG activity Maintain Authorizations at Field Level
, in the columns Transaction Type
and Item Category
, if all the transaction types or item categories should be analyzed for this authorization rule in the authorization check.
You have assigned an authorization level for each authorization group in Customizing in connection with the key fields transaction type, item category, and delivery status. You make these entries manually in Customizing for Customer Relationship Management
, at . You fill the control table CRMM_AUTH_FIELD with these entries.
Caution
Control table CRMM_AUTH_FIELD is created as a master data table, and therefore cannot be transported. For this reason, you should maintain this control table in your productive system.
When you have made the necessary settings in Customizing for SAP CRM, the system performs the authorization check at field level when processing a sales transaction.
To be able to perform an authorization check at field level, the system analyzes specific information during the check. This includes:
Key fields (transaction type, item category, and delivery status) that control whether the rule can be applied.
The rule is only applied if the values of the key fields in the transaction agree with those of the key fields in the control table CRMM_AUTH_FIELD.
Authorization level from the authorization object of the user. The user receives a specific authorization level via an authorization object. The authorization object contains the following fields:
Activity
Authorization group
Authorization level
Other entries in the control table, such as authorization group and authorization level for each authorization group.
In the authorization check, the system analyzes the control table CRMM_AUTH_FIELD and checks whether the authorization level from the control table is higher or lower than the authorization level in the user's authorization object. If the user’s authorization level in his or her authorization object is at least as high as the authorization level in the control table, he or she is permitted to overwrite the field. If his or her authorization level is lower than that in the control table, he or she cannot change the field.
If a field is assigned to multiple authorization groups, then all the authorization groups are checked independently of each other. The user must have authorization for all the authorization groups in the required level. If the control table does not contain any data, the authorization check is not carried out.
Adding Additional Key Fields
You can use a Business Add-In (BAdI) to make further fields available for the authorization check at field level. The Transaction Type
, Item Category
, and Delivery Status
fields are shipped for this purpose as standard. If you want to use more fields (which you have added to the control table CRMM_AUTH_FIELD) for the authorization check, you can calculate the values of these additional fields with this BAdI and transfer them to the authorization check.
For more information, see the Implementation Guide (IMG) at Business Add-In for Checking Fields
.
Caution
If you have added additional key fields, you must assign an asterisk to them in the IMG activity Maintain Authorizations at Field Level
. This is the only way to ensure that the rules previously created for the authorization check are correctly analyzed by the system.
Simple Example for "Change Fields" Authorization
a) Customizing Settings in the IMG Activity Define Authorization Group
Definition of authorization group 0001 – Authorization group 0001 consists of the following fields:
Quantity
Customizing Data
Object Name |
Logical Key |
Field Name |
Mode |
SCHEDLN |
No entry |
QUANTITY |
Change |
Unit of Measurement
Customizing Data
Object Name |
Logical Key |
Field Name |
Mode |
PRODUCT_I |
No entry |
PROCESS_QTY_UNIT |
Change |
Definition of authorization group 0002 – Authorization group 0002 consists of the following fields:
Pricing Date
Customizing Data
Object Name |
Logical Key |
Field Name |
Mode |
PRICING |
No entry |
PRICE_DATE |
Change |
Price Lists
Customizing Data
Object Name |
Logical Key |
Field Name |
Mode |
PRICING |
No entry |
PRICE_LIST |
Change |
b) Customizing Settings in the IMG Activity Maintain Authorizations at Field Level
The following entries are maintained in the control table CRMM_AUTH_FIELD:
Entries in the Control Table
Transaction Type |
Item Category |
Authorization Group |
Authorization level |
TA |
TAN |
0001 |
15 |
TA |
TAN |
0002 |
10 |
c) Authorization Object CRM_FLDCHK
The user has the following authorizations:
Authorization group 0001 |
Authorization level 6 |
Authorization group 0002 |
Authorization level 12 |
d) Outcome from Sample Data
When the user creates a sales order with transaction type TA and item category TAN, he or she cannot change the fields of authorization group 0001 (Quantity and Unit of Measure), as he or she only has authorization level 6 for this, and this value is below authorization level 15 from the control table. The user can, however, change the fields of authorization group 0002 in the order (Pricing Date and Price List), as he or she has authorization level 12, which is above authorization level 10 from the control table.
More Complex Examples for Business Transaction Components
Order Item (ORDERADM_I)
You can allow users to change or display the individual fields of business transaction component Order Item (ORDERADM_I), but only in CRM E-Commerce. In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
ORDERADM_I |
No entry |
ITM_TYPE |
Change or Display |
You can allow the creation or deletion of order items for the entire business transaction component. In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
ORDERADM_I |
No entry |
No entry |
Create or Delete |
Partner (PARTNER)
You can allow users to change or display the individual fields of business transaction component PARTNER
, but only in CRM E-Commerce. In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
PARTNER |
00000002 |
CITY |
Change or Display |
You can allow the creation or deletion of partners in the business transaction for the entire business transaction component. In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
PARTNER |
No entry |
No entry |
Create or Delete |
With the assignment of a logical key, you can make the authorization check even more detailed for entire subobjects or fields of a subobject in a business transaction component.
For example, you can permit only a specific authorization group to change the corresponding fields of object Partner
that exclusively relate to the partner function Ship-To Party
(logical key: 00000002). In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
PARTNER |
00000002 |
No entry |
Create or Delete |
PARTNER |
00000002 |
CITY |
Change or Display |
Note
If there is no logical key available for the entire business transaction component or for part of it, the rule is valid for all subobjects. For example, for the object Partner
, the rule is valid for all partner functions.
If you select the field ADDR_NR
for the business transaction component PARTNER
and the logical key 00000002
, you can prevent unauthorized users from being able to change the complete delivery address in the sales order.
Transaction History (DOC_FLOW)
You can control actions for campaigns and trade promotions by using the object Transaction History
, and thereby determine whether a specific authorization group can change or display a campaign or trade promotion. (Only supported in CRM E-Commerce). In the IMG activity Define Authorization Group
for example, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
DOC_FLOW |
BUS2010020 |
OBJKEY_A |
Change or Display |
If you have activated the function Multiple Campaigns or Trade Promotions, you can then use this function to influence whether specific users can create or delete campaigns or trade promotions. In the IMG activity Define Authorization Group
, choose the following entries:
Object Name |
Logical Key |
Field Name |
Mode |
DOC_FLOW |
BUS2010020 |
No entry |
Create or Delete |
The logical key BUS2010020 is valid for all campaign-business-object types: campaigns, campaign elements, trade promotions, or trade promotion elements.